Signature Providers

Third party signatures allow you to enhance the virus detection rate of ClamAV.

These signature providers are independant from Danami therefore we have no control over them. Make sure to watch for false positives after enabling a new provider.
• When a provider is enabled the provider URLs will be added to Settings -> Signature Updates -> DatabaseCustomURL. Signature update logs can be found under Logs -> Signature Log.
• We recommend that you enable Settings -> Anti-virus Settings -> Concurrent database reload to allow for non-blocking (multi-threaded/concurrent) database reloads (For systems with more than 4 GB of memory).
• Provider files are downloaded to the /var/lib/clamav/ directory. Warden will delete a database when it is de-selected or when the provider is disabled.
• The ClamAV daemon will use over 1 GB of memory with all the providers enabled so make sure your server has enough memory before enabling any providers.

SaneSecurity

SaneSecurity is a set of free signatures focusing on 0-day and 0-hour malware, which means that it includes hashes of new malicious files being sent by e-mail. It contains signatures for malicious URLs, common spam and phishing messages and generic signatures which detect some commonly types of techniques used in malware, such as exe files with a double extenstion (for example pdf.exe), exe files hidden in ISO files and often abused functions in MS Office macros. Sanesecurity also distributes signatures from other sources, such as phishing URLs from phishtank.com.

sanesecurity_enable - sanesecurity_enable
Enable or disable the SaneSecurity signature provider.
Default: 0

sanesecurity_provider_url - sanesecurity_provider_url
The base URL of this signature provider.
Default: https://ftp.swin.edu.au/sanesecurity/

sanesecurity_provider_files - sanesecurity_provider_files
The signature database files to download from this provider.
Default: badmacro.ndb blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb foxhole_filename.cdb foxhole_generic.cdb foxhole_js.cdb foxhole_js.ndb hackingteam.hsb junk.ndb jurlbl.ndb jurlbla.ndb lott.ndb malwarehash.hsb phish.ndb phishtank.ndb porcupine.ndb rogue.hdb scam.ndb shelter.ldb spamattach.hdb spamimg.hdb spear.ndb spearl.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_extended_malware_links.ndb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb

File Description False Positive Risk
badmacro.ndb Blocks dangerous macros embedded in word/excel/xml/rtf/js documents. medium
blurl.ndb Blocklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be bad. low
bofhland_cracked_URL.ndb Spam URLs. low
bofhland_malware_attach.hdb Malware URLs. low
bofhland_malware_URL.ndb Phishing URLs. low
bofhland_phishing_URL.ndb Malware Hashes. low
foxhole_filename.cdb Block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives. low
foxhole_generic.cdb Block double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb. low
foxhole_js.cdb Block most JavaScript (.js) files within Zip, Rar archived. To help minimise false positives, this database will only scan small sized Zip and Rar files. medium
foxhole_js.ndb Block ALL JavaScript (.js) files within GZip and Ace archives. medium
foxhole_mail.cdb Block any mail that contain a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh. low
hackingteam.hsb Hacking Team hashes converted to ClamAV format. low
junk.ndb General high hitting junk, containing spam/phishing/lottery/jobs/419s etc. low
jurlbl.ndb Junk URL based. low
jurlbla.ndb Junk URL based autogenerated from various feeds. medium
lott.ndb Lottery spam. medium
malwarehash.hsb Malware hashes without known size. low
phish.ndb Phishing and malware. low
phishtank.ndb Online and valid phishing URLs from phishtank.com data feed. low
porcupine.ndb Sha256 Hashes of VBS and JSE malware (kept for 7 days). low
rogue.hdb Malware, rogue anti-virus software and fake codecs etc. Updated hourly to cover the latest malware threats. low
scam.ndb Scam spam. low
shelter.ldb Phishing and malware. low
spamattach.hdb Spam attachments such as pdfs/docs/rtf/zips. low
spamimg.hdb Spam images. low
spear.ndb Spear phishing email addresses. medium
spearl.ndb Spear phishing URLs. medium
winnow.attachments.hdb Spammed attachments such as pdf’s/docs/rtf/zips. low
winnow_bad_cw.hdb Md5 hashes of malware attachments acquired directly from a group of botnets. low
winnow_extended_malware.hdb Hand generated signatures for malware. low
winnow_extended_malware_links.ndb Hand generated signatures for malware links. medium
winnow_malware.hdb Current virus, trojan and other malware not yet detected by ClamAV. low
winnow_malware_links.ndb Links to malware. low
winnow_phish_complete_url.ndb Phishing and other malicious URLs and compromised hosts. medium
winnow_spam_complete.ndb Signatures to detect fraud and other malicious spam. medium

SecuriteInfo

SecuriteInfo say that their ClamAV definitions add 4,000,000 signatures for malware and spam not detected by the official ClamAV signatures. There is a free feed of the signatures available which has signatures older than 30 days. For up-to-date 0-day malware detection, you will need one of their paid plans.

  1. Sign up for a free account: https://www.securiteinfo.com/clients/customers/signup. You will receive an email to activate your account and then a followup email with your login name.
  2. Login and navigate to your customer account: https://www.securiteinfo.com/clients/customers/account then click on the setup tab.
  3. You will need to get your unique customer id hash from one of the download links, they are individual for every user. You must replace the YOUR_API_KEY in the Warden provider URL with the customer ID hash that they privide you e.g.
    Provider URL: https://www.securiteinfo.com/get/signatures/7f3a2506d23443342225c8c345345a14ce545645645644564534534a3f6b89ce51fd6d/
  4. Paid plans can add the securiteinfo.mdb and securiteinfo0hour.hdb files from the SecuriteInfo provider files select list to download additional generic and 0-hour anti-virus signatures.

SecuriteInfo recommends setting the options below for the best detection while still avoiding too many false positives when using their signatures:

  1. Go to the Warden -> Settings -> Anti-virus Settings page.
  2. Check Detect possible unwanted apps.
  3. Enter the following in the Exclude possible unwanted apps textarea then press the update button to save the page and then the restart button to restart the ClamAV daemon:
    PUA.Win.Packer
    PUA.Win.Trojan.Packed
    PUA.Win.Trojan.Molebox
    PUA.Win.Packer.Upx
    PUA.Doc.Packed

securiteinfo_enable - securiteinfo_enable
Enable or disable the SecuriteInfo signature provider. Default: 0

securiteinfo_provider_url - securiteinfo_provider_url
The base URL of this signature provider. You must replace YOUR_API_KEY with your customer id provided after signing up at SecuriteInfo.
Default: https://www.securiteinfo.com/get/signatures/YOUR_API_KEY/

securiteinfo_provider_files - securiteinfo_provider_files
The signature database files to download from this provider.
Default: securiteinfoandroid.hdb securiteinfoascii.hdb securiteinfohtml.hdb javascript.ndb securiteinfopdf.hdb securiteinfo.hdb securiteinfo.ign2

File Description
javascript.ndb Javascript malware.
securiteinfo.hdb Executable malware more recent than one year (exe, com, dll).
securiteinfo.ign2 Checksums of false positives or common files. Mandatory use for any usage.
securiteinfo.mdb Generic signatures of malwares (paid subscription only).
securiteinfo0hour.hdb Malware that appeared on the Internet in the past hour (paid subscription only).
securiteinfoandroid.hdb Android malware.
securiteinfoold.hdb One year old malware (optional usage). Use it if you are not limited in resources (RAM/CPU).
securiteinfoascii.hdb Text file malware (Perl or shell scripts, bat files, exploits).
securiteinfohtml.hdb HTML malware.
securiteinfopdf.hdb PDF malware and spam.

URLhaus

URLhaus from abuse.ch is a collection of URLs of sites distributing malware.

urlhaus_enable - urlhaus_enable
Enable or disable the URLhaus signature provider.
Default: 0

urlhaus_provider_url - urlhaus_provider_url
The base URL of this signature provider.
Default: https://urlhaus.abuse.ch/downloads/

urlhaus_provider_files - urlhaus_provider_files
The signature database files to download from this provider.
Default: urlhaus.ndb

File Description
urlhaus.ndb A collection of URLs of sites distributing malware.